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This listing of claims will replace all prior versions and listings of claims in this 
application: 

Listing of Claims 

1. (Previously presented) A network comprising: 
a first network domain; 

a first routing device at a boundary between the first network domain and 
public internetworking fabric to route network traffic between the first 
network domain and the public internetworking fabric; and 

a monitor/regulator, either integrally disposed in said first routing device or 
coupled to the first routing device to monitor the network traffic routed by 
said first routing device by analyzing flow records, describing traffic 
conversation as indicated by a combination of source and destination 
addresses, received from the routing device, the monitor/regulator 
determining if the first network domain is sourcing undesirable network 
traffic, comprising a denial of service attack in which the undesirable 
network traffic is launched against a target network device in order to 
undermine the operation of that target network device by overwhelming 
the target network device with network traffic, out of the first network 
domain, 

wherein said monitor/regulator makes said determination based at least in part 
on differential characteristics between request packets routed out of said 
first network domain and response packets routed into the network domain 
and wherein said monitor/regulator instructs the first routing device to 
lower a priority of the undesirable network traffic that is being sourced 
from the first network domain in response to making said determination 
that the first network domain is sourcing the undesirable network traffic. 

2. (Cancelled) 
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3. (Previously presented) The network of claim 1, wherein said 
monitor/regulator infers said differential characteristics based on aggregated 
statistics of said network traffic routed out of said network domain, and 
aggregated statistics of said network traffic routed into the network domain. 

4. (Cancelled) 

5. (Previously presented) The network of claim 1, wherein said 
monitor/regulator, upon determining undesirable network traffics are being 
sourced out of said first domain, further stops said undesirable network traffic 
from being sourced out of said first domain. 

6. (Original) The network of claim 1, wherein 

said first network domain further comprises a second routing device for routing 
network traffic out of and into the first network domain; 

said monitor/regulator further monitors the network traffic routed by said 
second routing device, and determines if the first network domain is 
sourcing undesirable network traffic out of the first network domain based 
on network traffic characteristics observed of network traffic routed 
through said first and second routing devices. 

7. (Original) The network of claim 6, wherein said monitor/regulator determines 
if undesirable network traffics are being routed out of said first network domain 
through said first routing device based on network traffic characteristics observed 
of network traffic routed through said second as well as said first routing device. 

8. (Original) The network of claim 6, wherein said monitor/regulator determines 
if undesirable network traffics are being routed out of said first network domain 
through said second routing device based on network traffic characteristics 
observed of network traffic routed through said first as well as said second routing 
device. 
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9. (Original) The network of claim 6, wherein said monitor/regulator, upon 
determining undesirable network traffics are being sourced out of said first 
network domain, further stops said undesirable network traffic from being 
sourced out of said first network domain. 

10. (Original) The network of claim 1 , wherein 

said network further comprises a second network domain including a second 
routing device for routing network traffic out of and into the second 
network domain; 

said monitor/regulator further monitors the network traffic routed by said 

second routing device, and determines if at least a selected one of the first 
and second network domains is sourcing undesirable network traffic out of 
the selected one of the first and second network domains based on 
network traffic characteristics observed of network traffic routed through 
said first and second routing devices. 

1 1 . (Original) The network of claim 10, wherein said monitor/regulator 
determines if undesirable network traffics are being routed out of said first 
network domain through said first routing device based on network traffic 
characteristics observed of network traffic routed through said second as well as 
said first routing device. 

12. (Original) The network of claim 10, wherein said monitor/regulator 
determines if undesirable network traffics are being routed out of said second 
network domain through said second routing device based on network traffic 
characteristics observed of network traffic routed through said first as well as said 
second routing device. 

13. (Original) The network of claim 10, wherein said monitor/regulator, upon 
determining undesirable network traffics are being sourced out of at least a 
selected one of said first and second network domains, further stops said 
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undesirable network traffic from being sourced out of said first and second 
network domains. 

14. (Previously presented) A network traffic regulation method comprising: 
monitoring network traffic routed by a first routing device of a first network 

domain; and 

determining if the first network domain is sourcing undesirable network traffic, 
comprising a denial of service attack in which the undesirable network 
traffic is launched against to a target network device in order to undermine 
the operation of that target network device by overwhelming the target 
network device with network traffic, out of the first network domain, 
wherein the first network domain is determined to be sourcing undesirable 
network traffic by analysis of flow records describing traffic conversation, 
as indicated by a combination of source and destination addresses, 
received from the first routing device, which is positioned at a boundary 
between the first network domain and public internetworking fabric to 
route network traffic between the first network domain and the public 
internetworking fabric; 

wherein said determining comprises determining based at least in part on 
differential characteristics between request packets routed out of said 
network domain and response packets routed into the network domain; 
and 

lowering a priority of the undesirable network traffic that is being sourced 
from the first network domain in response to making said determination 
that the first network domain is sourcing the undesirable network traffic. 

15. (Cancelled) 

16. (Previously presented) The method of claim 14, wherein said determining 
comprises inferring said differential characteristics based on aggregated statistics 
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of said network traffic routed out of said network domain, and aggregated 
statistics of said network traffic routed into the network domain. 

17. (Cancelled) 

18. (Original) The method of claim 14, wherein the method further comprises 
stopping undesirable network traffics from being sourced out of said first network 
domain. 

19. (Original) The method of claim 14, wherein the method further comprises 
monitoring network traffic routed by a second routing device of said first 

network domain; and 
determining if the first network domain is sourcing undesirable network traffic 
out of the first network domain based on network traffic characteristics 
observed of network traffic routed through said first and second routing 
devices. 

20. (Original) The method of claim 19, wherein said determining comprises 
determining if undesirable network traffics are being routed out of said first 
network domain through said first routing device based on network traffic 
characteristics observed of network traffic routed through said second as well as 
said first routing device. 

21. (Original) The method of claim 19, wherein said determining comprises 
determining if undesirable network traffics are being routed out of said first 
network domain through said second routing device based on network traffic 
characteristics observed of network traffic routed through said first as well as said 
second routing device. 

22. (Original) The method of claim 19, wherein the method further comprises 
stopping undesirable network traffic from being sourced out of the first network 
domain. 
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23. (Original) The method of claim 19, wherein the method further comprises 
determining if at least a selected one of the first and a second network domain 

is sourcing undesirable network traffic out of the selected one of the first 
and second network domains based on network traffic characteristics 
observed of network traffic routed through said first and second routing 
devices. 

24. (Original) The method of claim 23, wherein said determining comprises 
determining if undesirable network traffics are being routed out of said first 
network domain through said first routing device based on network traffic 
characteristics observed of network traffic routed through said second as well as 
said first routing device. 

25. (Original) The method of claim 23, wherein said determining comprises 
determining if undesirable network traffics are being routed out of said second 
network domain through said second routing device based on network traffic 
characteristics observed of network traffic routed through said first as well as said 
second routing device. 

26. (Original) The method of claim 23, wherein the method further comprises 
stopping undesirable network traffic from being sourced out said first and/or 
second network domains. 

27. (Previously presented) An apparatus comprising: 

(a) storage medium having stored therein a plurality of programming 

instructions designed to enable the apparatus to monitor network traffic 
routed by a first routing device of a first network domain, the first routing 
device to route network traffic between the first network domain and 
public internetworking fabric; and programming instructions designed to 
enable the apparatus to analyze flow records describing traffic 
conversation as indicated by a combination of source and destination 
addresses received from the first routing device and determine if the first 
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network domain is sourcing undesirable network traffic, comprising a 
denial of service attack in which the undesirable network traffic is 
launched against to a target network device in order to undermine the 
operation of that target network device by overwhelming the target 
network device with network traffic, out of the first network domain; and 
(b) a processor coupled the storage medium to execute the programming 
instructions; 

wherein the programming instructions enable the apparatus to make said 
determination based on differential characteristics between request 
packets routed out of said network domain and response packets routed 
into the network domain and instruct the first routing device to lower a 
priority of the undesirable network traffic that is being source from the 
first network domain in response to making said determination that the 
first network domain is sourcing the undesirable network traffic. 

28. (Cancelled) 

29. (Previously presented) The apparatus of claim 27, wherein the programming 
instructions enable the apparatus to infer said differential characteristics based on 
aggregated statistics of said network traffic routed out of said network domain, 
and aggregated statistics of said network traffic routed into the network domain. 

30. (Cancelled) 

3 1 . (Original) The apparatus of claim 27, wherein the programming instructions 
further enable the apparatus to stop undesirable network traffic from being 
sourced out of said first network domain. 

32. (Original) The apparatus of claim 27, wherein the programming instructions 
enable the apparatus to monitor network traffic routed by a second routing device 
of said first network domain, and determine if the first network domain is 
sourcing undesirable network traffic out of the first network domain based on 
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network traffic characteristics observed of network traffic routed through said first 
and second routing devices. 

33. (Original) The apparatus of claim 32, wherein the programming instructions 
enable the apparatus to determine if undesirable network traffics are being routed 
out of said first network domain through said first routing device based on 
network traffic characteristics observed of network traffic routed through said 
second as well as said first routing device. 

34. (Original) The apparatus of claim 32, wherein the programming instructions 
enable the apparatus to determine if undesirable network traffics are being routed 
out of said first network domain through said second routing device based on 
network traffic characteristics observed of network traffic routed through said first 
as well as said second routing device. 

35. (Original) The apparatus of claim 32, wherein the programming instructions 
further enable the apparatus to stop undesirable network traffic from being 
sourced out said first network domain. 

36. (Original) The apparatus of claim 27, wherein the programming instructions 
further enable the apparatus to determine if at least a selected one of the first and a 
second network domain is sourcing undesirable network traffic out of the selected 
one of the first and second network domains based on network traffic 
characteristics observed of network traffic routed through said first and second 
routing devices. 

37. (Original) The apparatus of claim 36, wherein the programming instructions 
enable the apparatus to determine if undesirable network traffics are being routed 
out of said first network domain through said first routing device based on 
network traffic characteristics observed of network traffic routed through said 
second as well as said first routing device. 
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38. (Original) The apparatus of claim 36, wherein the programming instructions 
enable the apparatus to determine if undesirable network traffics are being routed 
out of said second network domain through said second routing device based on 
network traffic characteristics observed of network traffic routed through said first 
as well as said second routing device. 

39. (Original) The apparatus of claim 36, wherein the programming instructions 
further enable the apparatus to stop undesirable network traffic from being 
sourced out said first and/or second network domains. 

40. (Cancelled) 

41. (Cancelled) 

42. (Previously presented) The network of claim 1, wherein said 
monitor/regulator generates statistics concerning destination addresses and 
determines whether the first network domain is sourcing undesirable network 
traffic based on said statistics. 

43. (Previously presented) The network of claim 1, wherein said 
monitor/regulator generates statistics concerning lengths of packets and 
determines whether the first network domain is sourcing undesirable network 
traffic based on said statistics. 

44. (Previously presented) The network of claim 1, wherein said 
monitor/regulator generates statistics concerning distributions of time to live 
values and determines whether the first network domain is sourcing undesirable 
network traffic based on said statistics. 

45. (Previously presented) The network of claim 1, wherein said 
monitor/regulator tracks differences between outbound transmission control 
protocol (TCP) synchronize (SYN) and finish (FIN) packets and inbound 
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response packets and determines whether the first network domain is sourcing 
undesirable network traffic based on said differences 

46. (Cancelled) 

47. (Previously presented) The network of claim 1, wherein said 
monitor/regulator instructs a routing device to slow the undesirable network 
traffic. 

48. (Previously presented) A network comprising: 
a first network domain; 

a first routing device at a boundary between the first network domain and 
public internetworking fabric to route network traffic between the first 
network domain and the public internetworking fabric; and 

a second network domain including a second routing device for routing 
network traffic out of and into the second network domain; 

a monitor/regulator that monitors the network traffic routed by said first 

routing device and said second routing device, and determines if at least a 
selected one of the first and second network domains is sourcing 
undesirable network traffic out of the selected one of the first and second 
network domains based on network traffic characteristics observed of 
network traffic routed through said first and second routing devices; 

wherein said monitor/regulator, upon determining undesirable network traffics 
are being sourced out of at least a selected one of said first and second 
network domains, lowers a threshold for concluding that undesirable 
network traffic are being sourced out of an other one of said first and 
second network domains. 

49. (Cancelled) 

50. (Cancelled) 
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5 1 . (Previously presented) The method of claim 14, further comprising 
generating statistics concerning destination addresses and determining whether 
the first network domain is sourcing undesirable network traffic based on said 
statistics. 

52. (Previously presented) The method of claim 14, further comprising 
generating statistics concerning lengths of packets and determining whether the 
first network domain is sourcing undesirable network traffic based on said 
statistics. 

53. (Previously presented) The method of claim 14, further comprising 
generating statistics concerning distributions of time to live values and 
determining whether the first network domain is sourcing undesirable network 
traffic based on said statistics. 

54. (Previously presented) The method of claim 14, further comprising tracking 
differences between outbound TCP SYN and FIN packets and inbound response 
packets and determining whether the first network domain is sourcing undesirable 
network traffic based on said differences 

55. (Cancelled) 

56. (Previously presented) The method of claim 14, further comprising 
instructing a routing device to slow the undesirable network traffic. 

57. (Previously presented) A network traffic regulation method comprising: 
monitoring network traffic routed by a first routing device of a first network 

domain; 

monitoring network traffic routed by a second routing device of said first 
network domain; 

determining if at least a selected one of the first and a second network domain 
is sourcing undesirable network traffic out of the selected one of the first 
and second network domains based on network traffic characteristics 



13 of 18 



Application No.: 09/706,503 
Amendment dated: December 9, 2009 
Reply to Office Action of November 9, 2009 
Attorney Docket No . : 00 1 6 .0005US 1 

observed of network traffic routed through said first and second routing 
devices, wherein undesirable network traffic comprises a denial of service 
attack in which the undesirable network traffic is launched against to a 
target network device in order to undermine the operation of that target 
network device by overwhelming the target network device with network 
traffic; 

upon determining undesirable network traffics are being sourced out of at least 
a selected one of said first and second network domains, lowering a 
threshold for concluding that undesirable network traffic are being 
sourced out of an other one of said first and second network domains. 

58. (Previously presented) A network comprising: 
a network domain which is a local area network; 

a routing device in the local area network at a boundary between the local area 
network and public internetworking fabric to route network traffic 
between the network domain and the public internetworking fabric; and 

a monitor/regulator, either integrally disposed in said routing device or coupled 
to the routing device, to monitor the network traffic routed by said routing 
device by analyzing flow records describing traffic conversation as 
indicated by a combination of source and destination addresses received 
from the routing device, the monitor/regulator determining if the network 
domain is sourcing undesirable network traffic that is originating in the 
network domain and being routed out of the network domain by the 
routing device, the monitor/regulator generating statistics concerning 
destination addresses to determine whether the network domain is 
sourcing the undesirable network traffic, wherein said monitor/regulator 
instructs the routing device to lower a priority of the undesirable network 
traffic and/or slow the undesirable network traffic; 

wherein the undesirable network traffic comprises a denial of service attack in 
which the undesirable network traffic is launched against a target network 
device in order to undermine the operation of that target network device 
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by overwhelming the target network device with network traffic, out of 
the network domain, 
wherein said monitor/regulator makes said determination based on differential 
characteristics of network traffic routed out of said network domain 
relative to network traffic routed into said network domain and aggregates 
said differential characteristics based on differential characteristics 
between request packets routed out of said network domain, and response 
packets routed into the network domain and wherein said 
monitor/regulator instructs the routing device to lower a priority of the 
undesirable network traffic that is being sourced from the network domain 
in response to making said determination that the network domain is 
sourcing the undesirable network traffic. 



59. (New) The network of claim 1 further comprising: 

a second network domain including a second routing device for routing 

network traffic out of and into the second network domain; 
wherein said monitor/regulator further monitors the network traffic routed by 
said second routing device and determines if at least a selected one of the 
first and second network domains is sourcing undesirable network traffic 
out of the selected one of the first and second network domains based on 
network traffic characteristics observed of network traffic routed through 
*said first and second routing devices; 
wherein said monitor/regulator, upon determining undesirable network traffics 
are being sourced out of at least one of said first and second network 
domains, lowers a threshold for concluding that undesirable network 
traffic are being sourced out of an other one of said first and second 
network domains. 
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